A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-)
Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be lilian.edwards@strath.ac.uk .

Monday, January 30, 2006

I was teaching my class about interception and surveillance last week and reminded them that you don't need to be government or Echelon or a spook to spy on someone these days: their never-without-it mobile phone is a portable locational bug aiting to happen. And lo and behold, in Saturday's Guardian is a convenient explanation on how you can use a mobile to stalk your chosen prey (EDIT: And here;'s a previous piece that's even better):

"Here is how it works. You register on the site, pay a few quid, type in the phone number of the person you want to track, and then the system sends them a text message. All you need to do is surreptitiously get access to your target’s mobile phone, without their knowledge, for just five minutes: long enough to receive that text message, reply with the word LOCATE, and delete two text messages that arrive immediately, warning them they are being tracked. You can stalk them for a couple of days, find out if they really are where they say they are, work out who they are with, perhaps find out if they’re having an affair, then delete them off the system. They will never be any the wiser."

Boing Boing link to a report on the implications of search engines - including Google - automatically recording IP address of searchers.

"Up until now, I’ve only discussed the implications of having an IP address. The situation gets much much worse when you start using it. Because every bit of network traffic you use is marked with your IP address, it can be used to link all of those disparate transactions together. Despite these possible correlations, not one of the major search engines considers your IP address to be personally identifiable information. "

Of course in Europe we have DP law and an IP address would be personally identifying data and therefore protected by the Data Protection Principles, including limitation of data collection by purpose and time of retention, right? Wrong. A recent survey by the Information Comissioner's office in the UK found huge disparities across Europe as to whether an IP address would ALWAYS or even sometimes be treated as personal data.

Plus of course the new data retention rules that are coming in will mandate data retention of certain items for telcos and ISPs. Will these rules apply to search engines? I guess we have to wait for the detail of national implementations of the Data Retention Directive.

Finally, deep into the further reaches of conspiracy theories re privacy and web-bugging we have this interesting comment from the resposnses to the IP article above.

"I don’t have any ads on the site, I do have embedded Flickr pictures. So, here’s a question - is Flickr just a cover for a huge web bug operation used to track visits to sites that have embedded Flickr pictures, or is that being overly paranoid? "

Flickr is a site where users can post photos they've taken and embed them in their web pages - they can then be viewed, uploaded etc by the public (or not as you choose).

In theory it seems plausible that every Flickr image could inded be a web beacon, meaning Flickr could correlate sign up IDs with IP addresses and web sites, as well as patterns of known associates (people who look at your pictures tend to be people who know you).

Anyone like to comment? I must go have a look at the Flickr privacy policy :-)

A US district court has ruled in Field v Google that Google's cache feature, which allows users to access copies of web pages made when they were viewed or "spidered" by Google robots, does not breach copyright in those web pages. The matter had never been decided in the US courts before. The case was brought by author and lawyer Blake Field who had taken exception to Google's caching of about 50 stories posted by Field on his website. He brought an action for copyright infringement, arguing that the Google cache feature allowed web users to access copies of his copyrighted material without his authorisation. The court disagreed.

The court had three bases for its decision. First, if anyone wasbreaching copyright when the cached copy was accessed, it was not Google but whoever made that cached page request. Google was merely "passive in this process". Secondly, it was shown that Field knew how to disable the caching feature, using the "do not archive" metatag or the robots.txt code which, when inserted in a website's HTML code, tells Google spiders not to make copies of that page. Field could have used that facility, but chose not to. As such, he was personally barred from claiming copyright infringment against Google.

Finally, and most crucially, the use Google made of the material was fair use, said the Court. The four tests usually applied to determine if a use is "fair use" are:

(1) the purpose and character of the use, including whether such use is of acommercial nature or is for nonprofit educational purposes;(2) the nature of the copyrighted work;(3) the amount and substantiality of the portion used in relation to the copyrightedwork as a whole; and(4) the effect of the use upon the potential market for or value of the copyrigh

Applying the usual USA jurisprudence, he found that Google's use was fair because, crucially, it was both transformative and socially valuable.

"Because Google serves different and socially important purposes in offering access to copyrighted works through 'Cached' links and does not merely supersede the objectives of the original creations, the Court concludes that Google's alleged copying and distribution of Field's web pages containing copyrighted works was transformative."

This means the court accepted that making copies in cache s part of the creation of a database for a search engine, was something very different from, say, making copies so as to sell pirate copies to the author's potential audience. Google were not using their cache copies for any commercial purposes which interfered with the revenues the author would make from them or could reasonably be anticipated to make. Nor could Google's "socially important" purpose, to create a comprehensive freely available search database, including historic records of altered pages, be accomplished without using caches of the whole page rather than extracts; so the fact that the whole rather than parts were copied was not fatal to the claim of fair use.

Finally, the court found Google did gain the benefit of the "safe harbor" defence under the Digital Millennium Copyright Act , s 512 (b) , which which provides a defence to service providers for the "intermediate and temporary storage of material on a system or network controlled or operated by or for the service provider" whereb the storage is carried out by an "automatic technical process". There had been doubt in the past as to whether this was intended to cover "long term" cache storage of the sort Google use - around 14 to 20 days storage. The court found this was indeed temporary, since a similar period of 14 days cache had been found legitimate in Ellison v Robertson 357 F.3d 1072, 1081 (9th Cir. 2004).

As OUT-Law note, this ruling could hardly be more helpful to Google in its ongoing Google Print dispute.The Google Print project , just like ordinary Google caching, involves the automated making of full copies of pages of books, scanned in as electronic text, with the intent of making a search index from them which can then deliver limited sections of the books scanned. When book publishers complained this infringed their rights to control the making of copies, Google responded that the publishers had the ability to opt out of scanning. However under pressure, Google reversed their practice on this and asked publishers to explicitly "opt in" to Google Print, rather than leaving the onus on them to "opt out". This of course makes the project of potentially much lower social value, as well as leaving out "orphan works" whose copyright holders are unknown.

A court, albeit a District Court only, now seem to have validated Google's original "opt-out" approach. Not only that, but it has clarified that scanning in full text as opposed to merely extracts of texts, can be acceptable fair use. Finally, they have apparently rebutted the damning argument that Google Print cannot be fair use because it disrupts future revenues, in the form of as yet uncommenced efforts by publishers to provide or license similar revenue-generating book-scanning search engines.

Although I am in favour of Google Print as a project (what academic isn't?), this all seems just a tad too good to be true. For example, in relation to the fair use criteria, Google can hardly claim with a straight face to make no commercial revenue out of providing either cached page links or Google Print in its full glory. Their revenue comes from AdWords , and these sell because so many million people use Google to search - something providing Google Print can only enhance. This point was raised by Field, but brushed aside : "The fact that Google is a commercial operation is of only minor relevance in the fair use analysis."

Field's works also had little or no commercial value per se. The court found: "There is no evidence of any market for Field's works. Field makes the works available to the public for free in their entirety, and admits that he has never received any compensation from selling or licensing them."

The situation was, therefore, rather different from, say, Oxford University Press complaining about the scanning and distribution of parts of theirmoney-making textbooks or encyclopaedias. The court also found that:

"there is no evidence before the Court of any market for licensing search engines the right to allow access to Web pages through "Cached" links, or evidence that one is likely to develop."

But this is probably by now not at all true of large scale book scanning operations -it is obvious that the major publishers, stung by the Google and subsequent Yahoo! etc activity, are getting their asses in gear on this one, and that a future search-and-pay-per-view licensed market by each publisher, or consortia of publishers, can well be imagined.

Finally, the application of the DMCA caching safe harbor decision to Google is right in technical detail, but in terms of purpose, is deeply suspect. The caching safe harbor of the DMCA (just like its equivalent in the EU, the EC E Commerce Directive (ECD) Art 13) was intended to protect the common practice of making highly temporary local copies of multiply-accessed web pages, to reduce transmission times to local users making page requests, and to reduce overall Internet congestion. The Google cache services at least one very different purpose: to make copies of web pages available to users for some time even when the page has moved or been removed (perhaps deliberately to avoid search). Furthermore, since Google spiders periodically return to un-protected pages to refresh the cache, the cache storage of an unaltered page can be seen as permanent, or at least as not "temporary", since it may effectively persist for a much longer period than the 14-20 day cycle cited in court. ( I note with some amusement that in my first post on Google Print months ago I was alreay quizzical about whether Google could take advantage of the caching safe harbors.)

The court seem, indeed, to have gone further in their first finding, by deeming Google "passive" in the process of making and transmitting a copy to the user who makes a page request from a Google cache page link. To this author, that sounds a lot like a finding that Google is not even actively caching under s 512(b) but merely a "mere conduit" (as we Europeans call it - see EC ECD, Art 12) - or as stated under s 512(a) of the DMCA, someone who only provides "transmission, routing, provision of connections or storage through a system or network controlled or operated by the service provider." If Google, albeit by automated technologies, initiate the making of cached copies for their own purposes, not for the needs of end users, they are not, in my view, being passive "mere conduits" and it is misleading of the court, for whatever well meant purposes, to make that analogy.

In any case, when we come to Google Print, the intentional and active nature of the copying, even by automated means, becomes even more obvious. Furthermore, scanned copies of books will be available indefinitely one assumes: so it would be unreasonable for the caching safe harbor to apply (nor would the hosting safe harbor in either DMCA or ECD be appropriate, since while the content is supplied by a third party, the copying - and potential copyright infringement - is undertaken by Google).

So to sum up: good news for Google on fair use, and very good news indeed on "opt out" as opposed to "opt in". Watch this space, as I keep saying. Your humble blogger will be chairing a debate on Google Print at href="http://www2006.org/">WWW 2006 in sunny Edinburgh - I am looking forward to it.

As heavily predicted by various commentators, including, ahem, moi, Denial of Service (DoS) attack in the UK is set to become a new offence within the year. Parts of the Private Members Bill on Computer Misuse put forward last year by MP Tom Harris will be included in a new general crime bill. The Government has included updates – with new offences and stiffer penalties – in the Police and Justice Bill, introduced January 25 2006. This will amend the now rather outdated Computer Misuse Act 1990. the matter was brought to a head when a court cleared a teenager last November who had sent five million emails to his former employer, on the grounds that no offence had been committed under the Act.Section 34 of the Bill expands on the 1990 Act's existing provisions to cover someone who does an unauthorised act in relation to a computer with "the requisite intent and the requisite knowledge." Previously, s 3 of the 1990 Act prohibited only on unauthorised modification of computer programs or data. (Section 1 of the Act deals with unauthorised access ie hacking.)

The requisite intent referred to is an intent to do the act in question, and by so doing:

-to impair the operation of any computer, -to prevent or hinder access to any program or data held in any computer, or -to impair the operation of any program or data held in any computer.

This is not so different from the existing law (see emboldened parts). The section on intent is identical to that in the existing 1990 Act, s 3. Crucially, the argument that an unsecured website impliedly authorised everyone in the world to make page requests from it, or send emails to it - even where those requests are for 5 milion pages in an hour leading to the server falling over - still seems potentially open.

As was said by the judge in the November teenager case: "In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."

The new law has changed the word "modification" to "act" (which is not defined except to say it includes a series of acts) but not touched the word "unauthorised". To make matters worse, s 34(4) states that "For the purposes of subsection (1)(b) above, the requisite knowledge is knowledge that the act in question is unauthorised". How hard is to claim after the November case that you reasonably thought making page requests or sending emails was an authorised act?

Quid iuris? One way round this of course would be a clear statement on any potential target website that persons are explicitly not authorised to send multiple emails to the site with the intent of causing system degradation - but this carries with it the usual problems of adequate notice for incorporation, nor is it a very appealing thing to have on your website front page. If the government are finally (after 3 PM Bills) going to the effort of making new law on DoS, I am surprised they have not chosen to clarify the meaning of "unauthorised" by statute. The intent requirement alone will not create a water-tight crime of DoS if the actus reus is not satisfied.

Less ballyhooed but also of interest is the new section 3A added by the 2006 Bill which is extracted below:

“3A Making, supplying or obtaining articles for use in offence undersection 1 or 3(1) A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article—(a) knowing that it is designed or adapted for use in the course ofor in connection with an offence under section 1 or 3; or(b) intending it to be used to commit, or to assist in the commissionof, an offence under section 1 or 3."

This probably criminalises the making and selling of virus and DDOS toolkits, something I have wondered about in the past. What if you write a virus-making toolkit to learn about viruses and virus-spreaders so you can be a better security expert? (a) may still catch you. I would have felt happier if the new offense was restricted to the (b) branch, or if the "or" was an "and".

Wednesday, January 25, 2006

My correspondent pete@fenelon.com adds rather sensible: "Something that nobody's yet pointed out about Google China self-censoring is that it's fairly pointless for it to return 'banned' search results anyway, as the 'Great Wall' firewall will block anything containing dangerous subversive content like "democracy" or "Taiwan" anyway.

What use is a search engine where most of the results you click on areblocked by something else? ;)

Pragmatic move by Google, I'd say. No point searching for content youcan't look at in full."

Another interesting (and perhaps overly provocative, but I like that :-) point made on the Cyberprof mailing list was, why is it ok for the US to export its principles such as freedom of speech to China, but not for China to export its principle of the supremacy of the communist state's security over such freedom to a US company? they're all just values after all..

Best title evah!!! as Silicon Valley.com comments on Google's controversial roll out of a state-agreed censored Google feed to China.Not had much time to absorb this, but certain obvious arguments can be made : that a censored service, where blocked sites are at least indicated, is better than continual tussles with the government which might lead to either the total blocking of the site to most PRC residents who can't get access via foreign proxy sites etc, and/or the compulsory imposition of invisible upstream filtering; that Google has a considerable number of employees in China and has to protect them from possible Govrnment backlash; that Google is only doing publicly, and with certain safeguards what the likes of Yahoo! and MSN are already doing covertly.

At heart, even if this is the current best-case scenario for China, what this crisis clarifies is the unsatisfactoriness of a world where Internet search is controlled by a private company; as many many have observed this bodes ill to be as unsatisfactory as a world where 90% of operating systems are controlled by Big Bill. The capitalist solution is, presumably, a better competing search engine (though would they not have as mch trouble in China as Google, and without the market power to negotiate on details?)The regulatory solution is to apply human rights law directly to certain private actors such as Google and Microsoft. But how pie in the sky is that, folks?

AS Silicon Valley note, Google put PR credit in the bank with recently refusing the US government subpoena of personal data. Cynically one might hazard that that was intended to counteract a backlash as a result of decision. Knowing some senior Google people personally, I don't actually think that myself - but it will be interesting to see what happenes to the share price.

Monday, January 23, 2006

The Scottish Executive have announced a consultation on the Electronic Communications (Scotland) Act 2006. The purpose of this consultation is to seek views/comments on the proposals to amend appropriate legislation to allow for electronic communications to be accepted in the same way as "in writing" or "by hand" submissions. Starting: Friday, January 27, 2006 Deadline: Friday, March 24, 2006

This should pave the way , one hopes for fully electronic conveyancing (following the existing ARTL project), electronic application for legal aid (also already being piloted), and , perhaps electronic voting? No more current details - queries to christine.gresswell@scotland.gsi.gov.uk .

Thursday, January 19, 2006

Just as the Yahoo! v FRance litigation disappears thankfully beneath the waves of the technical process of the US appeal court procedures, a new transatlantic dissensus storm cloud appears.

Wikipedia Germany is down today (19/1/06) because of a court order of some sort, posts James Enck on EuroTelcoblog today. he reports that the legal dispute relates to a deceased German hacker whose real name is used on the Wikipedia site - his family have apparently sued to have the site shut down on the grounds that this violates their privacy.

The case is a lovely example of how notice and take down - in this case backed by court order - can remove vast amounts of useful content from public site even before merits have been decided.

Except that you can still read the exact same content in both German and English, on US Wikipedia, which is also available in German translation. A court order would have to be sought from the US to close them down too and US freedom of speech law is highly unlikely to allow this.

Saturday, January 14, 2006

The Law Society Gazette, major organ of UK solicitors, has finally editorialised on blawgs, including this esteemed site. I guess, we really are in the 21st century, Matilda.. (Even if they didn't give MY URL!)

Since many blogger's (and blog-reader's) days are spent mainly achieving this very aim, and often under a pseudonym or under cloak of anonymity, the unrest such a law has incited among the lieges becomes understandable. Some blog sites, such as Blogspot, leave it open to users to use either their true name or a pseudonym (or no name at all) when commenting; others, such as Live Journal, actively encourage uses to conmment only sub pseudonym (although it should be noted that comments made anonymously, can also, on various blog sites, be banned). In the US, anonymity for political (though not other) purposes has a degree of constitutional protection ( McIntyre v. Ohio Election Commission ) and so the fredom of speech mavens are up in arms.

More recent reports have suggested however that (a) this is in fact not a new law at all, but merely an amendment of existing US law relating to "annoying" ie nuisance telephone calls, and (b) that even the amended law continues as before to exclude "interactive computer devices" though it does include calls made at least partially via the Internet. It seems possible therefore that the new law merely extends the old nuisance phone calling prohibition to calls made via IM and VOIP, and is not intended to extend to email, Internet web and Usenet posts at all. The point is also well made that incidental annoyance caused by irate posters, is not at all the same as criminally intending to cause annoyance.

What interests me, though, is that in the UK, as usual, we have on the whole collectively patted ourselves on the back and said "Mad Americans, it culdn't happen here." But in fact, it already has.

(1) A person is guilty of an offence if he- (a) sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or (b) causes any such message or matter to be so sent. and(2) A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another [emphasis added], he-

(a) sends by means of a public electronic communications network, a message that he knows to be false, (b) causes such a message to be sent; or (c) persistently makes use of a public electronic communications network.

So it would appear that, say , the persistently "annoying" commentor on Blogger - a spammer, for example, or perhaps just a particularly brusque or longwinded repeat correspondent - could hypothetically be charged under s 127. Subsection (2)(c) does not appear to require that the "message" be false; nor (as with the US law) is there even the need for anonymity.

And yet no one here makes a fuss about the non-constitutionality of it all. Such a criminal provision has existed since at least 1984 under our old Telecommunications Act, to deal with, surprise, nuisance/crank/malicious phone calls. It was quietly extended to the Internet in the 2003 Act (wherein the definition of a "public telecommunications network" can be found) and even more quietly, has anecdotally been used by the police on occasion since to charge Denial of Service, in the absence of clear guidance as to whether s 3 of the Computer Misuse Act 1990 would cover that crime. (see Blogscript, elsewhere).

Should repeat emails or web posts be criminal simply because they are annoying, inconvenient or anxiety-provoking but not false, malicious or libellous? If they contain threats, they will in any case be chargeable as assault; if they are falseand relate to a living person, they wil often be pursuable as libels. With phone calls it is clear that repeated nuisance calls have a deleterious psychological effect on the victim. But web posts can be ignored, software exists to ban named posters from commenting on many sites, and email can be similarly filtered. Unusual though it is, in a world where we usually try to draft convergence-neutral laws, freedom of speech does seem to demand a different balance for net communications than it does with conventional telephone calls. Perhaps the 2003 Act, s 127 should be reviewed?

Friday, January 06, 2006

Governments are keen on encouraging digital uptake by citizens, because they see the potential both to get votes, reduce voter apathy, and to reduce costs by expanding e-government. But what gives with one hand takes with another. The Register reports that Craig Murray, the former UK ambassador to Uzbekistan has effectively avoided the Official Secrets act by publishing classified documents the government attempted to suppress on his blog. Murray now claims these appeared in over 4,000 blogs within 72 hours. And that the government are unlikely to prosecute him under the OSA - as would of course still be possible - since no jury would be likely to convict.

Both official secrets and contempt of court have long been regarded as dead in the water since the advent of the Internet and at least since the Spycatcher debacle. It will be interesting to see what action, if any, the government do take.

Thursday, January 05, 2006

Details of the Sony US settlement re their offending DRM-enabled "root kit" CDs are helpfully reported at Out-Law.com. Inter alia, customers who bought the protected CDs will be entitled to $7.50 each and one album download from a list of 200 titles, or three album downloads from the list if they waive the cash offer.

Sony BMG also undertakes to take "commercially reasonable steps" to destroy the information that it collected from users – the "spyware" aspect of the fracas - namely, album details and IP addresses – within 10 days of collection, except as otherwise required by law or court order. And they undertake to make sure that in any future CD production, no software is installed before the user accepts the EULA -a major step towards transparency which will hopefully now be accepted as an industry must-do.

"On December 26th, it was announced that Britain would become the firstcountry in the world where the movements of all vehicles on the roads arerecorded. A new national surveillance system will hold the records for atleast two years. Using a network of cameras that can automatically readevery passing number plate, the plan is to build a huge database ofvehicle movements so that the police and security services can analyze anyjourney a driver has made over several years. By next March a centraldatabase installed alongside the Police National Computer in Hendon, northLondon, will store the details of 35 million number-plate "reads" per day.These will include time, date and precise location, with camera sitesmonitored by global positioning satellites. Already there are plans toextend the database by increasing the storage period to five years and bylinking thousands of additional cameras so that details of up to 100million number plates can be fed each day into the central databank. Civillibertarians are concerned that the movements of millions of law-abidingpeople will soon be routinely recorded and kept on a central computerdatabase for years. "

The British public, unlike privacy advocate groups, has always supported ubiquitous surveillance, at least in the form of CCTV, where the alternative appeared to be the risk of exposure to crime. Will the killer combo of ID cards and full fledged Big Brother style surveillance of all vehicles, with no incentives in sight but speeding tickets, turn the tide of opinion?

If you do care about privacy, this certainly makes worrying over tosh like RFID in the retail chain look like a minor affair. Although if you combine car tracking for the socially included, with ID cards and RFID-cash tracking for the rest, the prospects of future employment for data miners (not minors) look bright indeed.. Minority Report, which I watched again over Xmas, looks nearer and nearer to truth. How far are we from the Dept of Pre-Crime now?

Several very interesting recent developments in UK cybercrime case law:

War-chalking or wireless bandwidth theft: The Register report that a man was last week fined £500 after a British jury found him guilty of using a neighborhood wireless broadband connection without permission. Gregory Straszkiewicz, 24, was also sentenced to a 12 months conditional discharge after he was convicted of dishonestly obtaining an communications service and related offences at London's Islewoth Crown Court last Wednesday (20 July). Beeb also reported it.

The case - brought under the Communications Act 2003 s 125 - is the first "war driving" prosecution in the UK, according the police. The Act - which is UK wide - introduced a new offence of dishonestly obtaining an electronic communications service with the intent to avoid a charge applicable to that service. Mr Straszkiewicz is reported to have been caught by police outside a residential building surfing the internet using a laptop. Some commentators have suggested that this might extend the criminal law to surfers who accidentally jump onto another party's net connection (easy to do if a host is using an unsecured connection with no encryption, as many still do). IMHO the mens rea requirement makes this seem unlikely however.

Denial of service (DDOS): in my soon to be published article Edwards L “Dawn of the Death of Distributed Denial of Service: How To Kill Zombies” forthcoming(2006) Cardozo Arts and Entertainment Journal, I expressed doubts, contrary to the rather more optimistic approach of both the police and APIC (the All Parliamentary Internet Group), that the Computer Misuse Act 1990, s 3, did indeed criminalise denial of service per se.

Section 3 of the CMA prohibits unauthorised modification of computer data - and was originally intended to criminalise the spreading of comoputer viruses (having been drafted long before DoS became common). DoS basically involves sending so many page or access requests to a computer server that it falls over. It has long been uncertain if this would constitute an "unauthorised modification" under s 3 - if sending one email is a legitimate act, impliedly authorised by the website or server, and not a "modification", is sending 5 million? I think not, although the policy implications are obviously unfortunate.

A UK court has now agreed with me. The judge, District Judge Kenneth Grant , in a November 2005 case at Wimbledon Magistrate's Court , involving a teenager who could not be named for legal reasons, but who had allegedly sent five million emails to a former employer to cause a DoS attack, ruled:

"In this case, the individual emails caused to be sent each caused a modification which was in each case an 'authorised' modification. Although they were sent in bulk resulting in the overwhelming of the server, the effect on the server is not a modification addressed by [the Act]."

As Peter Sommer, a senior research fellow in the London School of Economics' Information Systems department, put it "When you send an e-mail to an e-mail server, you are not modifying that server, because the purpose of the e-mail server is to sit around waiting to receive e-mails aimed at that domain,".

It is not clear from available evidence if the teenager was ever charged with an offense under s 1 of the CMA wich prohibits unauthorised access to a computer or data. It has been hypothesised that a distributed DoS attack, which involves enslaving a large network of unknowing "bot" computers via hacking or virus infestation to send the emails that form the DoS attack, might be susceptible to a s 1 charge. But if the emails the teenager sent contained no malicious material, and he did not use any means of unauthorised access to send email to the victim's server, or utilise a bot network, then s 1 would also not be relevant.

It is likely we will now see legislative change on both "vanilla" DoS and Distributed DoS. A Private Member's Bill already introduced will be read again in 2006. The Scottish courts are also soon likely to have a chance to rule on DoS when the case of a man in Elgin comes to court.

Sony had some extremely bad press near the end of 2005 when it transpired that Digital Rights Management (or technical protection measures or TPM) software they had placed on some music CDs to prevent them being ripped or played via iTunes, had had the unfortunate additional effects of acting as spyware and rendering user machines vulnerable to virus attacks by third parties. The DRM software was invisible to the user when the CD was loaded, and the EULA laid down that users accepted the DRM as a condition of purchase.

Sony are now under threat of prosecution from various state attorneys in the US and in other countries. They have already made a financial settlement which is likely to protect them from criminal prosecution in the US but Naked Law are now speculating as to whether s 3 of the CMA (that old warhorse again :-)could be used to prosecute Sony in the UK. The matter is likely to be academic, as there is no evidemce any consumer in the UK has suffered from the DRMed CDs, but the interesting question is whether s 3, which makes it an offence to intentionally modify the contents of a computer without the consent of the user, would apply. Users must accept the EULA to play the CD, but the EFF have claimed in the past in relation to similar Sony DRM-protected CDs that "the [DRM] software is installed prior to display of the relevant EULA, and is not removed even if a user does not accept the terms of the EULA". There is as well as the question of how far a user can consent to a criminal act the full consequences of which he is largely or wholly ignorant.

various commentators have pointed me towards the rather fabulous latest issue of LegalAffairs - which features inter alia Julian Dibbell on the taxation of virtual property, a novel topic if ever there was one in these our days of endles novelty,and an excellent summary of where we are in relation to the "repatriation" of the once "borderless" Net by Wu and Goldsmith, the latter one of earliest cynics, sorry, pragmatists from the days when "the law of cyberspace" libertarian wave was at its height.

Discussing the French Yahoo! case, they highlight the often overlooked point that the French court principally decided to place Yahoo! US under their jurisidiction, not out of a sense of obstinate and blind assertion of sovereignty, but because they had discovered that Yahoo! pages referred to French users were coming, not from the US site where Yahoo! were claiming the protection of the US First Amendment, but from a Stockholm mirror site. Wu and Goldsmith go on to reject the aphorism that "information wants to be free" in favour of the declarator that information wants to be organised and categorised, and point out that "geography turns out to be one of the most important ways to organize information on this medium that was supposed to destroy geography". Fascinating stuff.

Wednesday, January 04, 2006

Another catch up. The Sydney Morning herald reported on Dec 7 2005 that details of a zero-day vulnerability in Microsoft's Excel spreadsheet program have been put up for sale on eBay, with the seller offering a starting price of 1 US cent. At the time of the article, the bidding had reached $US60 ($A79). Interestingly, the hacker had already reported the flaw to Microsoft but after receiving no response, put it up for sale on EBay. Ethical hacking goes guerilla??

Talking of buying insecurity, it's well known that less ethical persons are now trading bot networks for sums almost though not quite as low as the above. Any serious future concerted EU security policy may have to look at ways of monitoring and clamping down on such sales, pubic and private, as clearly the serious crime intersts who are now using bot networks for spamming, phishing etc are no longer the teen hackers of yore , but simply businessmen who will buy bot networks to make a profit, just like they now buy drugs.

Tuesday, January 03, 2006

Yet more turn of the year past- and future-gazing , emphasising the idea that consumers are now as likely to be participatory citizens and producers of digital products, as passive recipients of services. Blogging, podcasting, and vlogging - video blogging - all get approving nods - as does the new Center for Citizen Media.

"Crucially, what 2005 proved was that far from these techno tools being purely dumb funnels for the same paid-for content from mainstream media, they had the chance to become powerful tools for political expression and reportage.

The consumer was turning into the citizen with a meaningful role to play. Media started to look more participatory and inclusive.

The Boxing Day tsunami of 2004 starkly showed the potential of these tools. Most of the memories of that day have been graphically captured, replayed and played again, making the event much more immediate and personal.

Later in the year, the 7 July London bombings and the hurricanes in the US forced home the fact that citizens had a much larger role in the production of news than ever before. "

This slightly more cynical commentator wonders if there may be downsides for the on line empowered consumer. What about consumer protection law? it tends to assume a disparity of power between creators/retailers/publishers and consumers. Will there be the same force behind arguments for strong consumer protection laws on line in the WEU when consumers are seen as active not passive?

One hard question here is what might happen, in various jurisdcitions, if an EBay buyer claimed consumer protection in a contract gone badly wrong. Would such a person still be characterised as "consumer" if they were sometimes or mostly an EBay seller? Hmmm.

I wonder how they measure it? Assuming it's only based on cybercrime activity they actually detect, the actual figure must surely be much much larger. (The original newspaper report admits that "It is difficult to gauge the true number of security failures because many companies are unaware they've been hacked, the paper said.")

Well, lordy lordy, someone in the UK has finally actually managed to successfully sue a spammer. (This story reported December 27th 2005 - catch up time again, folks.) The miracle of Xmas is clearly with us. Before you cheer too much however, notice the damages - the grand sum of £270. And that isn't just, as the Beeb story suggests, because the claim was done as a small claim - it's because the damages are limited by the actual damage that can be proved to have been done, which is extremely low for most individuals. Even if the criminal law gets involved, the maximum fine under the anti spam provisions of the Privacy and Electronic Communications Regulations falls within Data Protection legislation - - and that, barring solemn procedure (very unusual indeed) is £3,000. Compare to the million dollar punitive damages you can get in the US under the Can Spam Act, or even the 6 figure sums that ICSTIS, the UK premium phone line regulator, can impose when operators breach their rules. DP legislation sanctions are a joke and need reformed desperately. US type class action rules for civil suits would help too. (And hey, I won't even start on how 90% of spam comes from outside the EU and is effectively without control by EU citizens anyway..)

Monday, January 02, 2006

Happy New Year! and welcome to some new(ish) interesting stories which have slipped by Blogscript in our, er, seasonal hiatus :-)

The ever faithful Beeb report the emergence of Spy Media, an agency which plans to provide a market place for the sale and exchange of blog posts as well as pictures snapped by ordinary citizens armed with digicams, phonecams and webcams. The idea of a press agwency to market the increasingly valuable snaps taken by the public, and which will allow amateurs as well as professional photographers to hawk their pix to the media for solid dosh, is not new: Scoopt may well have been the first into the market. Pictures taken by the public increasingly shape the public global image of events from the second they happen : the BBC eg received 50 pictures from the public within an hour of the London bombings on July 7 2005.

But Spy Media plan to do more. They plan to "educate people. They are going to demand that material [marketed via Spymedia] not be sent through RSS where people utilise them without permission."

In other words, Spy Media plan to start policing the very common current practice of A N Other providing an RSS feed so that in-demand on-line content from other platforms or websites can be "syndicated" for free to readers all over the blogverse (and without the annoying local platform pop ups and ads). Such RSS syndication without permission is clearly a breach of copyright. But it is also very much a tool whereby the work of unknown creators goes from cult unknown to commercial success: as happened, eg, with the on line gaming cartoon, P v P (which now restricts its content from being RSSed). As with P2P services, it may be worth considering if closing down such RSS feeds may not be more damaging than nurturing to creator revenues. In terms of the syndication of "ordinary" blog posts (as opposed to, say, cartoons or comics or prfesional quality photos)there must be also strong argument of implied license to copy - the aim of most bloggers is, after all, as wide an audience as they can get, rather than monetary rewards.

RSS as a format makes loss of control by creators if not inevitable then extremely hard to police**. But it also is an amzing tool for participatory democracy and brand building for individual creators without corporate advertising budgets. Much of sf writer and EFF official Cory Doctorow's brand recognition as an author, eg, has been built on his wodely syndicated via RSS co-authored blog Boing Boing. It may be better to look at alternative means of revenue collection than to persuade creators into a cease and desist campaign on unauthorised syndicators. One is drawn again to Fisher's vision of a world of compulsory licensing of on line content (music, pictures, and images. perhaps?) along with some kind of entertainment levy.

** Aha. Enquiries among local techie friends (many thanks to Andrew Ducker, Simon Bisson, Mike Scot) reveal that when you are attempting to restrict syndication of images, (eg the P V P on line comic), you can set the site up so that when a request for the image comes in, it checks to see if you're looking at it on the site itself , or on a different one, and "can then send an image saying "Yaah, boo, sucks to you" to people trying to read it from offsite, and the actual image to people looking at it on your site."

(You still can't stop someone creating an RSS feed on their own site saying "Look, there's a new PVP comic over there" - an alert feed. But that's OK, it seems to me. Potential readers are driven to the site of origin, where the creators have chosen to make their work public in the first place, and get the benefits of such. Where's the problem with that?)

But if you're trying to protect syndication of text it's a whole other story. There's almost nothing anyone can do to stop someone scraping an open-to-the-public website's HTML and building a feed from it. "The thing is, once you have content in an open format like HTML, anyone can do anything with it. Blocking screen-scraping spiders is not a trivial exercise if they don't want to be blocked."